Compliance standards are changing. Here’s what you need to know.

This article does not provide legal advice, nor should it be construed as legal advice. All dealership professionals and agents must consult their legal counsel on any legal questions, legal matters, or legal requirements.

Introduction: The Safeguards Rule is changing

Of all the challenges the car industry has been presented with this past year, one particularly important issue has become a focus point — the new amendments to the Safeguards Rule. A part of the Gramm-Leach Bliley Act, this rule may affect the responsibilities that all dealerships must remain compliant with. And your partners at Allstate Dealer Services want to make sure you have all the information you need before it goes into effect on December 9, 2022.

What’s the Gramm-Leach Bliley Act, again?

The Gramm-Leach Bliley Act was put into law as a response to large financial institutions that were seeking to merge businesses. For the auto industry, it’s had three major and lasting impacts: it defined dealers as non-banking financial institutions, it created the Safeguards Rule — which dictates how dealers must protect consumer’s non-public information — and it established the Privacy Rule that protects the consumers right to know who their information is being shared with, and the right to opt-out.

The Safeguards Rule and why it’s being amended

The Gramm-Leach Bliley Act isn’t new. But the amendments to the Safeguards Rule are. So, even if you’ve been up-to-date with all the requirements in the past, these changes may have a major effect on how you run your business going forward.

But why the change? The amendments increase the standards for keeping consumer data and privacy secure. 

Enhancing the Safeguards Rule

The updated Safeguards Rule provides refined security measures and standards, including:

-  A definition of what is considered a consumer record as well as a defined set of requirements to protect that information.

-  Dealers are now required to provide enhanced oversight to any service providers and vendors that they share consumer information with (including DMS, CRM, product and service providers).

-  Dealers with less than a total of 5,000 consumer records do not have to meet the enhanced standards.

What do these enhancements really mean for your dealership? When we put the magnifying glass on them, we uncover a few new requirements:

Dealers can now use technical tools and resources for digital changes
 - The amended Safeguards Rule now includes several elements where technical tools are more important, and sometimes necessary.

Written Information Security Program (WISP) needs to be updated
- The security programs will need a qualified individual to update and maintain WISP.

Dealers are now required to create written documentation and self-report to the FTC
- Security events must be documented and reported to both senior leaders at the dealership and the Federal Trade Commission (FTC).

All personnel must be trained to the new standards
- Security awareness training should be updated to sufficiently address relevant security risks.

Additional oversight should be implemented for protected consumer information
- Any internal system or provider where consumer information is shared, now requires enhanced oversight.

15 elements of the amendments

At least 15 elements that may take time and effort to fully implement into your dealership:

1. Have a qualified individual, internal or outsourced, assigned to oversee the program.
2. Create and conduct a written risk assessment of all the vulnerabilities.
3. Create policies which include access controls to secure all written and digital data.
4. Perform a system inventory to understand where all the data streams exist.
5. Complete data encryption processes to ensure data is protected at rest and while in transit.
6. Implement secure development practices.
7. Create a multi-factor authentication token to log into any system where consumer non-public data is housed.
8. Implement procedures to monitor and log activity within systems.
9. Document secure data disposal procedures.
10. Adopt change management policies for any changes that take place within a system.
11. Build procedures that monitor activity and detect unauthorized activity.
12. Regularly test for vulnerabilities to detect any intrusions.
13. Oversee and monitor service providers.
14. Write an incident response plan.
15. Provide a written annual report to the dealership executive management board including but not limited to compliance with the Safeguards Rule and any matter relating to information security.

Plan ahead now

As we work towards maximizing profitability in the auto industry, we need to make sure we’re doing it right, and in a way that protects consumers and businesses. And while this may seem like a lot to accomplish, it’s our responsibility to uphold the credibility of the auto industry, and the security of the consumers.

We’ve laid out some helpful steps below:

1. Designate qualified individuals to lead or manage your program. This can be in-house or outsourced.
2. Prepare all written documentation of WISP, and make sure all the required elements are included.
3. Implement all technical IT requirements (including a dual authentication token) for all systems and service providers that your dealership does business with.
4. Implement internal IT procedures including vulnerability testing, permissions for access control, clarification on who updates the policy, and define who terminates use when employees leave.
5. Provide training to all personnel.
6. Oversee service providers and vendors to ensure they are all in compliance with the amendments.

And the road to compliance begins now! Keep in mind your dealership needs to meet all requirements by December 9, 2022.

As always, Allstate Dealer Services* strives to help keep you informed about important industry changes that impact your dealership. And we’re here to help you succeed. Please contact us with any questions at AllstateDealerServices.com.

*Allstate Dealer Services is a marketing name for Pablo Creek Services, Inc., E.R.J. Insurance Group, Inc. d/b/a American Heritage Insurance Services, and First Colonial Insurance Company; each of these entities is a member of the Allstate family of companies.